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PRIORITIZATION OF THIRD PARTY ACCESS TO AN ONLINE COMMERCE SITE 



BACKGROUND OF THE INVENTION 
Field of the Invention 

[0001] The invention relates to the field of network computing. More specifically, the 
invention relates to the prioritization of third party access to an online commerce site. 

Background of the Invention 

[0002] The online commerce marketplace allows users to buy and sell goods and services 
(e.g., via an online auction web site) to geographically dispersed consumers. Typically, a 
user employs automated processes to buy or sell their own products on the online 
commerce site. By partnering with an established online commerce site, a user (e.g., a 
merchant) bypasses the cost of building an online commerce infrastructure from scratch, 
thereby reaching the online market quickly and accessing a large number of good and 
services in addition to a large number of buyers and sellers. 

[0003] Permitting uncontrolled access to the online commerce site has some drawbacks, 
such as the drain on system resources due to the increased processing performed on the 
online commerce site. For example, a third party may utilize an automated program to 
extract information such as product listings and pricing information, from the online 
commerce site at various unpredictable times. The automated program may place a heavy 
load on the online commerce site that causes substantial response time delays to all users 
of the online commerce site. These response time delays may eventually frustrate the 
consumers of the site, causing them to cease using the online commerce site and seek 
another electronic commerce site from which to conduct business. 
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BRIEF SUMMARY OF THE INVENTION 

[0004] Providing prioritization of user online access to an online commerce site. Third party 
applications using API function calls to access an online commerce site are restricted to 
specific services by an access rule. An access rule defines which API server on the online 
commerce site a specific third party application may access when using a specific API 
function call. In this way, the operator of the online commerce site may prioritize server 
access per service level agreements based on a specific third party application and API 
function call. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0005] The invention may best be understood by referring to the following description and 
accompanying drawings that are used to illustrate embodiments of the invention. In the 
drawings: 

[0006] Figure 1 illustrates an online commerce system according to one embodiment. 

[0007] Figure 2 is a flow diagram illustrating access rule processing on an online 
commerce site according to one embodiment. 

[0008] Figure 3 is a flow diagram illustrating a process of using access rules on a third 
party application server according to one embodiment. 

[0009] Figure 4 illustrates a flow diagram of one embodiment of using access rules and 
rate usage limits on an online commerce server. 

[001 0] Figure 5 depicts an exemplary computer system suitable for practicing the present 
invention. 
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DETAILED DESCRIPTION OF THE INVENTION 

[001 1 ] In the following description, numerous specific details are set forth to provide a 
thorough understanding of the invention. However, it is understood that the invention may 
be practiced without these specific details. In other instances, well-known circuits, 
structures and techniques have not been shown in detail in order not to obscure the 
invention. 

[0012] Prioritization of user online access to an online commerce site is described. 
According to one embodiment, an online commerce merchant configures an access rule to 
prioritize third party online access. An access rule defines how a third party may access 
the online commerce site. For example, a user may be limited, with an access rule, to a 
specific service on a specific server on the online commerce site, thereby, providing 
predictability to the operator of an online commerce site as to user accesses the online 
commerce site. In this way, the operator of an online commerce site may negotiate a 
service level agreement to provide access to specific servers with predetermined service 
levels as will be further described below. 

[0013] Figure 1 illustrates an online commerce 100 system according to one embodiment. 
A third party server area 102, a network area 104, and online commerce site 106, partitions 
the online commerce system 100. 

[0014] The third party server area 102 includes third party application servers 1 10 and 
115. The online commerce area 106 includes Application Program Interface (API) servers 
140, 142, and 144, and data storage devices 150, 152, 154, and 156. Any of the API 
servers 140, 142, and 144 may access any of the data storage devices 150, 152, 154, and 
156. The network area 104 includes a network 130 (e.g., the Internet) . The network 130 
provides connectivity between any of the third party application servers 110 and 1 15 in the 
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third party server area 102 and any of the API servers 140, 142, and 144 of the online 
commerce site 106. Access by the third party application servers 1 10, 1 15 may be 
prioritized based on a service level agreement, across the multiple API servers 140, 142, 
144, as will be further described below. 

[0015] Generally, third party developers create applications on the third party application 
servers 1 1 0 and 1 1 5 to access information and services available in the online commerce 
site 106 in a client/server type environment. For example, where the online commerce site 
106 operates as an online auction site, the online auction site may store pricing and 
product information in the data storage devices 150, 152, 154, and 156. The application 
hosted by the third party application server 1 10, 1 15 may use a HTML form or CGI program 
using the standard XML (extensible Markup Language) data format, and may be written in 
C++, Perl, Pascal, or any other programming language capable of issuing data requests via 
the network 100 (e.g., the Internet). In one embodiment, each third party application 
hosted by the third party application servers 1 10, 1 15 uses APIs (application programming 
interfaces) to access the services provided by the online commerce site 106. In general, 
APIs are standard programming interfaces (i.e., contracts) that define the input and output 
of function calls published by the online commerce site 106 to third party software 
programmers to automate access to services on the online commerce site 106 efficiently 
via application programs (e.g., to create an application to conduct auctions, and to manage 
auction and user information). 

[0016] In one embodiment, a third party application must obtain access rule(s) before 
accessing the services on the online commerce site 106. For example, an access rule may 
include a URL (uniform resource locator) that addresses the API server 140, 142, or 144, 
with which the third party application 110 and 1 15 is to connect (or communicate) when 
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accessing the services of the online commerce site 1 06. In this way, the URL directs a 
specific user to a specific API server on the online commerce site 1 06 per the service level 
agreement. The access rule may also be configured to direct a specific user to a specific 
API server having a different service level based on the specific API function call to be 
used. For example, the third party application server 1 1 0 may be directed (via a URL 
stored in an access rule) to connect to API server 140 when servicing a "Getltem" API 
function call to retrieve information describing an item offered for sale via the online 
commerce site 106. 

[0017] The access rule(s) are configured on the online commerce site 1 06. For example, 
an administrator of the online commerce site 106 may configure access rules stored in the 
data storage device 150 via the administrator portal 160. In one embodiment, each rule 
has a record in a database table that corresponds to one API function call type. 
Specifically, the table includes a field for a RuleJD, an APPJD, a CallName, and a URL 
for each API function call. The RuleJD field stores an identifier for a specific rule. The 
AppJD field stores the identifier of the third party application. The CallName field stores 
the name of an API function call. The URL field stores the URL that the third party 
application should use when utilizing the API function call associated with the CallName. In 
this way, the administrator configures each access rule per the service level agreement to 
an API function used by a specific third party application to connect (via a given URL) to a 
specific API server. The access rule may also include rate usage information that limits 
third party application access as will be further described below. 

[0018] In one embodiment, the access rule(s) are resident on the third party application 
server before the third party application accesses the services of the online commerce site 
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106. The third party application may request the access rule(s) from the online commerce 
site 106 using an API function call as will be further described below. 

[0019] It should be appreciated that in this way, the online commerce merchant may 
prioritize access of third party application servers 1 10 and 1 15 to API servers 140, 142, 144 
on the online commerce site 106. For example, the online commerce merchant may 
negotiate to provide a premium service level (e.g., guarantee faster response time) to third 
party application server 110 and provide a standard service level to the third party 
application server 115. The API server 142 may be designated as a premium server (for 
example, because a minimum number of third party applications have access to the API 
server 142, the API server 142 has additional resources and services available, among 
other examples), while the API server 144 may be designated as a standard server. 
Therefore, an access rule associated with an application on the third party application 
server 110 defines connectivity to the API server 142 for the premium service requests and 
an access rule associated with an application on the third party application server 115 
defines connectivity to the API server 144 for the standard server requests. 

[0020] A third party application may schedule the request for access rule(s) on a periodic 
basis (e.g., nightly). In this way, the third party application may receive any access rule 
updates performed by the administrator after analyzing the usage pattern of all third party 
applications. Continuing the example, if it is determined that the response time provided by 
the premium service on the API server 142 is not acceptable, then an administrator may 
modify the appropriate access rule to redirect the third party application server 1 1 0 to 
connect to a premium service on the API server 144 instead of connecting to API server 
142 as previously defined. 
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[0021] Figure 2 is a flow diagram illustrating access rule processing on the online 
commerce site 106 according to one embodiment. 

[0022] At block 210, the API server 140 receives a request for an access rule from a third 
party application. As stated above, the request may originate from an API function call. In 
one embodiment, the function call request is passed from a third party application to the 
online commerce server 106 via a URL request string. By using a URL request string, 
through the HTTP transport protocol, to make the API function call the API function is 
rendered-platform independent. Therefore, the third party application may be on any 
Internet capable machine including Microsoft Windows, Unix, Linux, or Macintosh 
computer, among others. 

[0023] At decision block 220, the API server 1 40 determines whether the request is a 
valid. In one embodiment, the request includes an application identifier, a developer 
identifier, and a session certificate. The application identifier identifies the third party 
application that transmitted the request. In one embodiment, a session certificate is a 
string of characters unique to a third party application. The session certificate string for the 
third party application is passed along with the developer identifier and the application 
identifier for each API function call type and is used by the API server 140, 142, and 144 to 
validate the request. 

[0024] At block 225, the request is not validated and a descriptive message of the error 
result is returned back to the requesting third party application. 

[0025] At block 230, if the third party application request is validated, the access rule(s) 
for the predefined service levels for the identified third party application are returned to the 
requesting third party application. For example, the API server 140 may access an access 
rules database table on the data storage device 150 for all the access rules associated with 
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the application identifier of the request. Each access rule to be returned to the requesting 
third party application includes a CallName and a URL that the third party application 
should use when making a API function call associated with the CallName, as will be 
further described. In this way, the third party application will be directed to the API server 
140, 142, 144 providing the appropriate service level. 

[0026] Figure 3 is a flow diagram illustrating a process of using access rules on a third 
party application server according to one embodiment. At block 31 0, the third party 
application makes a request for access rules to an API server. The request may be made 
to a predefined API Server or to any of the API Servers on the online commerce site 1 06. 

[0027] At block 320, the third party application receives the appropriate access rules. 
Upon receiving an access rule, the third party application saves the access rule in a data 
store such as a storage device, a memory, and a database, for example. 

[0028] At block 330, the third party application intends to perform an API function call to 
the online commerce site 106. Examples of API functions for an online auction site include: 
an Addltem function (sends a request to the online commerce site to put an item up for 
auction), a Getltem function (used to query the online commerce site and retrieve the 
information for one auction item); a GetSellerList function (queries the online commerce 
site and retrieves a list of the items a specific user/merchant is selling); a GetSearchResults 
(searches for items on the online commerce site); among other examples. Further 
examples of APIs to access an online auction site are described in the patent application 
entitled "Method and Apparatus to Facilitate a Transaction within a Network-Based Auction 
Facility", Serial number 09/999,618, Assigned to eBay, Inc. 

[0029] At block 340, the URL from the access rule associated with intended API function 
call is obtained. The URL is retrieved from the access rule in the data store having a 
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CallName associated to the intended API function call. Again, the URL may direct the user 
to the API server servicing the negotiated service level. 

[0030] At block 350, upon obtaining the appropriate URL, the third party application 
applies the intended API function call to the appropriate API server on the online commerce 
site 106. 

[0031] Figure 4 illustrates a flow diagram of one embodiment of using access rules and 
rate usage limits on an online commerce site. At block 410, an API server 140-144 
receives a request to access the services on the online commerce site 106. As stated 
above, the request may for example be an API function call for a list of seller items (e.g., 
GetSellerltemList API function). 

[0032] At decision block 420, a validation is performed on the request. If the request is 
validated, control passes to block 425. If the request is not validated, control passes to 
block 430. The application identifier, developer identifier, or session certificate, or any 
combination thereof, included in an API function call header, may be used to validate the 
request based on the associated (or matching) access rule stored on the online commerce 
site 106. 

[0033] Validation may also include determining whether the requesting API function call is 
to the appropriate API server. The third party application may connect to API server to 
which it has been assigned in the access rule. Continuing the example, if the access rule 
for the third party application server 115 defines the GetltemList API function to be made to 
API server 142 (via the URL stored in the access rule associated with the GetitemList API 
function), then a validating API server will validate that a request is made to the appropriate 
API server 142. 
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[0034] At block 425, the request is not validated and a descriptive message is returned 
back to the requesting third party application. 

[0035] At block 430, the appropriate API server determines whether the third party 
application has exceeded a predefined maximum rate usage level. For example, the 
administrator may limit the third party application to perform a certain number of 
transactions per unit of time (e.g., 80,000 searches per day). If the third party application 
has exceeded the maximum rate usage, control passes to block 460. If the third party 
application has not exceeded the maximum rate usage, control passes to block 440. In this 
way, block 430 operates like a circuit breaker to limit third party access if it exceeds the 
agreed-upon transaction limits. 

[0036] In another embodiment, block 430 may determine whether the third party application 
has exceeded other predefined maximum rate usage levels, such as, the maximum number 
of calls within a predefined time frame (e.g., per day, per hour), the maximum number of 
simultaneous calls, whether the call is during a predefined time of day, among other 
examples. 

[0037] At block 440, the third party application has not exceeded the maximum rate usage 
level, therefore, the API function call is performed, and if necessary, a usage rate counter 
increased. Continuing the example, the number of transaction results performed may be 
added to the maximum rate usage counter for the specific third party application. The 
maximum rate usage counter value may be stored in memory of the API server or in one of 
the databases 150, 152, 154, and 156. 

[0038] At block 445, the API server returns the transaction results up to the maximum rate 
usage level. Therefore, if the third party application reaches the maximum rate usage upon 
performing the requested transaction, only those transactions that are below the maximum 
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rate usage level are transmitted to the third party application. Control then passes to block 
445. 

[0039] At block 460, the third party application has exceeded the maximum rate usage 
and a descriptive message is returned back to the requesting third party application. 

[0040] One embodiment of an API server suitable for managing access rules is illustrated 
in Figure 5. The computer system 540 includes a processor 550, memory 555 and 
input/output capability 560 coupled to a system bus 565. The memory 555 is configured to 
store instructions which, when executed by the processor 550, perform the methods 
described herein. The memory 555 may also store access rules. Input/output 560 
provides for the delivery and display of software to a device and allows for the modification 
of the access rules thereof. Input/output 560 also encompasses various types of machine- 
readable media, including any type of storage device (e.g., preference database 240) that 
is accessible by the processor 550. The description of Figure 5 is intended to provide an 
overview of computer hardware and other operating components suitable for implementing 
the invention, but is not intended to limit the applicable environments. It will be appreciated 
that the computer system 540 is one example of many possible computer systems, which 
have different architectures. A typical computer system will usually include at least a 
processor, memory, and a bus coupling the memory to the processor. One of skill in the art 
will immediately appreciate that the invention can be practiced with other computer system 
configurations, including multiprocessor systems, minicomputers, mainframe computers, 
and the like. The invention can also be practiced in distributed computing environments 
where tasks are performed by remote processing devices that are linked through a 
communications network. It will be appreciated that more or fewer processes may be 
incorporated into the method illustrated in Figures 2 and 3 without departing from the scope 
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of the invention and that no particular order is implied by the arrangement of blocks shown 
and described herein. It further will be appreciated that the method described in 
conjunction with Figures 2 and 3 may be embodied in machine-executable instructions, e.g. 
software. The instructions can be used to cause a general-purpose or special-purpose 
processor that is programmed with the instructions to perform the operations described. 
Alternatively, the operations might be performed by specific hardware components that 
contain hardwired logic for performing the operations, or by any combination of 
programmed computer components and custom hardware components. The method may 
be provided as a computer program product that may include a machine-readable medium 
having stored thereon instructions, which may be used to program a computer (or other 
electronic devices) to perform the method. For the purposes of this specification, the terms 
"machine-readable medium" shall be taken to include any medium that is capable of storing 
or encoding a sequence of instructions for execution by the machine and that cause the 
machine to perform any one of the methodologies of the present invention. The term 
"machine-readable medium" shall accordingly be taken to include, but not be limited to, 
solid-state memories, optical and magnetic disks, and a carrier wave that encodes a data 
signal. Furthermore, it is common in the art to speak of software, in one form or another 
(e.g., program, procedure, process, application, module, logic...), as taking an action or 
causing a result. Such expressions are merely a shorthand way of saying that execution of 
the software by a computer causes the processor of the computer to perform an action or a 
produce a result. 

[0041] It should be appreciated that by providing third party applications access rules to 
determine which API server to access, the online commerce merchant may prioritize and 
control the manner in which the third party applications access the online commerce site 
106. The online commerce site 106 may prioritize access by class of customer or service 
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being accessed when needed to achieve any necessary service level. In this way, 
premium services may be provided to specific third party applications thereby guaranteeing 
availability of services on the premium site, among other advantages. 

[0042] In addition, only those third party applications and API function calls that have the 
appropriate access rule may access the API server, thereby preventing other parties from 
sharing services by using a specific URL assigned to another third party application. Also, 
since a single third party application may access different API servers based on the specific 
API function call, the invention also prevents the third party user from arbitrary selecting 
any one of the API servers. 

[0043] Although the exemplary embodiment of described herein details how an online 
auction merchant prioritizes third party application requests from API function calls with 
access rules, it should be understood that the invention is not limited to prioritizing third 
party application's access to an online auction site. Alternatively, an access rule may be 
used to prioritize access to alternative online commerce environments and to alternative 
sen/ices provided by an online commerce facility. 

[0044] Although the invention describes how a third party application connects to an API 
server, in alternative embodiments, the third party application connects to an API server 
pool (e.g., multiple API servers) that are controlled by a resonate load balancer and 
respond to the same URL. Load balancing network topologies are well know in the art and 
have not been described in detail in order not to obscure the invention. 

[0045] It is also understood that access rules may be delivered to a third party application 
server via means other than the API function described. In alternative embodiments, the 
access rules may be transferred to the third party application server by other well-known 
file transfer mechanisms within the scope of the invention. In addition, in some 
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embodiments the access rules are preemptively not transferred to the third party 
application server but the third party application server searches access rules on the online 
commerce site before performing a specific API function to determine which API server to 
connect when accessing the online commerce site 106. 

[0046] While the invention has been described in terms of several embodiments, those 
skilled in the art will recognize that the invention is not limited to the embodiments 
described. The method and apparatus of the invention can be practiced with modification 
and alteration within the spirit and scope of the appended claims. The description is thus to 
be regarded as illustrative instead of limiting on the invention. 
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